firewall rules not work for some specific reason

blackmetal · June 25, 2018, 4:47am

Hello,
i have 2 rule and they are :
6 chain=forward action=accept src-address=x.x.x.x
dst-limit=4000,20,src-address/1m log=no log-prefix=“”
7 chain=forward action=drop src-address=x.x.x.x log=no log-prefix="

so when i start send flooding with hping from x.x.x.x to the internet i see 60k PPS on that VLAN and only 4k pps proccess on my uplink now the issue is how can i set that vlan that only pass 4k pps ?
i do not want use queue because i want use this rules for all of my clients and i do not want limit them in bps.
i really thank you if you can help me,
thanks

Anumrak · June 25, 2018, 8:36am

In queue you can set source IP address. Why you don’t want to use it? If you want limit all your clients you can set source IP 0.0.0.0/0 I believe.

blackmetal · June 25, 2018, 8:49am

i have tried that now! and set source ip but still i have same amount of pps on my vlan

argusb · June 25, 2018, 9:18am

Might be related to fasttrack or established/related rules. Have you tried putting these above any other forward rules and/or disabling fasttrack?

blackmetal · June 25, 2018, 9:24am

i have no fasttrack rule all of them are for mikrotik built in fast track and yes i move my rules at first lines above all other rules and issue exist yet,

sindy · June 25, 2018, 9:57pm

I’m not sure I understand your requirement.

The firewall acts on L3. The hperf is sending the data to the router’s L3 interface in the VLAN, and the firewall properly throttles the pps as the packets are routed from the subnet which lives in the VLAN to the uplink. Do you want to throttle the pps between two member ports of the same vlan?

samsung172 · June 25, 2018, 10:07pm

it seems like you try to do a l3 firewall rule on a l2 interface? does your router route in and out of the vlan? if not - you must use bridge firewall and/or queues

blackmetal · June 26, 2018, 4:17am

hi,
yes my router route in and out … this is my topology

My Upstream → ETH1-Uplink ↔ My CCR 1036(it has bgp too) ↔ VLAN10(for dedicated server) ↔ ETH2-SwitchUPLINK<-> CRS326/Brocade ↔ ETH10/User-Dedicated-Server

so when i used that firewall rules i have same amount of pss on VLAN10 on my router but i do not have that amount on ETH1-Uplink and it cause high cpu load for me,
do you understand me?

sindy · June 26, 2018, 10:13am

So

without those firewall rules in question, the full volume of the traffic from a source in vlan10 towards the internet is passed to the uplink,
with the rules in place, the traffic is throttled so it does not get to the uplink in full volume

So the rules do what they are expected to do.

The CPU shows a high load as the firewall processing is also done by the CPU, so no matter whether the packet is finally forwarded or dropped, the CPU had to inspect it and decide what to do with it. There is no way to lower the CPU load if you let the traffic volume reach the Mikrotik from outside.

blackmetal · June 26, 2018, 10:16am

understood,
if i want have limited traffic on vlan10 i should limit traffic on the switch right? so the traffic does not reach VLAN10 and CCR does not process it ? in any other way traffic should reach vlan10 right?(when traffic reach vlan10 i can decide drop or forward it right?)

sindy · June 26, 2018, 10:38am

Correct in all points. Just instead of throttling the traffic on the switch between the source device and the Mikrotik, it might be possible to set a bandwidth limit directly on that device, depending on what it actually is (you normally can on linux server, you normally cannot on a smartphone).